Abp.Sanitizer can cause a model binding validation bypass

[antheus-s]

When using the Abp.Sanitizer package (any version), sanitization happens after validation in the pipeline. Which means that if I have a dto with a [Required] property, and also want to sanitize the input, and my input is "<script>test</script>", the value after sanitization will be empty. This means that it bypasses the validation.

[ismcagdas]

I couldn't be sure if we execute sanitization before validation.

[antheus-s]

The easiest way to test this would be to have a dto with a required property and to add the HtmlSanitizerAttribute to the method in the app service that uses the dto for input. The value should be something like "<script>test</script>", which, after sanitization, will be "". Even though the property has the RequiredAttribute, the method will be accessible and validation is skipped.

If my explanation is not clear, I can also make an example.

[ismcagdas]

No, it is totally clear. I'm just thinking about this from different angles :)

[antheus-s]

Ah ok :P

[quocduong]

More case
Input: <div STYLE="width: expression(alert('XSS'));">
Output: encode html format

This output will make the HTML form work incorrectly.